[Amin_Mansouri]

ust test code a crypter in xe2 (64bit). Bcoz in 64bit peb location moved and sizeof pointer is 8, some walking peb failed and u will get error .

Btw here u go alternative getmodulehandle compatible 32 and 64bit pe (xe2)

کد:

function GetLdr:Pointer; stdcall;
asm
{$IFDEF CPUX86}
  xor   eax, eax
  mov   eax, fs:[eax+$18] //teb
  mov   eax, [eax+$30] //peb
  mov   eax, [eax+$0C] //ldr
{$ELSE}
  xor   rax, rax
  mov   rax, gs:[rax+$30] //teb
  mov   rax, [rax+$60] //peb
  mov   rax, [rax+$18] //ldr
{$ENDIF}
end;

function ExGetmoduleHandle(name: PWideChar): THANDLE;
var
  x, f, cur  : NativeUint;
begin
  result := 0;
  //getLdr
  x := NativeUint(GetLdr);  
{$IFDEF CPUX86}
  //InMemoryOrderModuleList    
  f := x+$14;  
  //InMemoryOrderModuleList.Flink
  cur := PNativeUint(f)^;
  while (cur <> f) do begin
    x := cur - $8;
    //BaseDllName
    if (StrComp(PWideChar(PNativeUint(x+$30)^), name) = 0) then begin
      //DllBase
      result := PNativeUint(x+$18)^;
      exit;
    end;
    cur := PNativeUint(cur)^;
  end;
{$ELSE}
  //InMemoryOrderModuleList    
  f := x+$20;
  //InMemoryOrderModuleList.Flink
  cur := PNativeUint(f)^;
  while (cur <> f) do begin
    x := cur - $10;
    //BaseDllName
    if (StrComp(PWideChar(PNativeUint(x+$60)^), name) = 0) then begin
      //DllBase
      result := PNativeUint(x+$30)^;
      exit;
    end;
    cur := PNativeUint(cur)^;
  end;
{$ENDIF}
end;